> Le 13 sept. 2024 à 16:13, etkaar <etk...@akayo.eu> a écrit : > > Hi! > > I've created this issue in January 2022 but it seems it wasn't noticed yet > (since you probably do watch the mailing lists more than GitHub): > https://github.com/php/php-src/issues/7913 > > Kind Regards, > etkaar
Hi, * Defaulting `session.cookie_httponly` to `true` seems very reasonable. * Beware that if you set `session.cookie_secure` to `true`, you will break websites that are not served across https. Moreover, the reason of the breakage may not be evident. * You forgot another obvious setting: `session.cookie_samesite` must be "Lax" by default. * We should also consider setting `session.use_strict_mode` to `true`, in order to mitigate session fixation attacks. —Claude
